How to duplicate a WebRamp 300e with Linux
The WebRamp 300e is an analog router that accepts 1 to three modems (www.rampnet.com). It is programed via a web interface with a phone number username and password and it sets its ip address to be 192.168.1.1 and severs dhcp to win and Linux clients.
If I get a static ip from my isp it is obviously assigned to the router. I can (and this is what I would like to know how they do it) create a visible (there term) computer. This means that all traffic to this static ip is routed to the visible computer on a private address like 192.168.1.2. The net effect is that from the inside network the visible computers address is 192.168.1.2 and from the outside Internet the ip address of this same computer is the static address my isp defined.
But there is an exception, traffic from the outside to the static ip can be directed to the router if it is web or ftp traffic.
There is another exception, instead of a visible computer a local application (webramp term) can be created where a specific 192.168.1.x address is associated with a specific tcpip/port.
This lets me take a single valid ip address and assign different services to different physical computers behind the router.
Where do I go to start emulating this behavior? I suspect IP/chains. Also is the CNAME deal going to be part of this?
If I get a static ip from my isp it is obviously assigned to the router. I can (and this is what I would like to know how they do it) create a visible (there term) computer. This means that all traffic to this static ip is routed to the visible computer on a private address like 192.168.1.2. The net effect is that from the inside network the visible computers address is 192.168.1.2 and from the outside Internet the ip address of this same computer is the static address my isp defined.
But there is an exception, traffic from the outside to the static ip can be directed to the router if it is web or ftp traffic.
There is another exception, instead of a visible computer a local application (webramp term) can be created where a specific 192.168.1.x address is associated with a specific tcpip/port.
This lets me take a single valid ip address and assign different services to different physical computers behind the router.
Where do I go to start emulating this behavior? I suspect IP/chains. Also is the CNAME deal going to be part of this?
Oh where to start...
IPchains & IP Masq can do most, but not all of what the WebRamp box does. Certainly, that combination can provide NAT (well, strictly speaking they provide NPAT (Network Port-Address Translation). And they can port-forward services in to specific internal computers. They only provide a many-to-one address translation service, so you can't have the "visible computer" that the WebRamp box has as there isn't a mechanism for static IP translation.
There is an alternative to consider in ipfilter (http://cheops.anu.edu.au/~avalon/ip-filter.html). It can do firewalling, NPAT (many-to-one) and true NAT (one-to-one) dynamically and with static translations. Ipfilter really starts to be useful when you have a netblock of external IP's to play with. In that case you can do traditional static translations to conduit external requests to internal servers.
Any Linux box can provide DHCP services, and there can be other servers (web, ftp, etc) running on the box to provide services to external clients.
Neither of these approaches quite does what the WebRamp box can do. They can do part of the job, but not everything.
As to the multiple modem capability. Yes Linux can have multiple modems, and it can do some of the things the WebRamp box does. I suspect that it's not as easy to set up as the WebRamp and can't do quite as much. My reading of the docs implies that not only can it do multi-link PPP to an ISP that supports same. It can also do bandwidth on demand over separate links (multi-path in router terms). The box itself (or ppp in general) doesn't limit you to one IP address per modem. That is a function of what the ISP is willing to do. If they are willing to assign an IP netblock (and you are willing to pay for it) you can have as many IP's for local use as desired. The ppp link in this case becomes a network link rather than a remote mode.
Okay, time for questions...
IPchains & IP Masq can do most, but not all of what the WebRamp box does. Certainly, that combination can provide NAT (well, strictly speaking they provide NPAT (Network Port-Address Translation). And they can port-forward services in to specific internal computers. They only provide a many-to-one address translation service, so you can't have the "visible computer" that the WebRamp box has as there isn't a mechanism for static IP translation.
There is an alternative to consider in ipfilter (http://cheops.anu.edu.au/~avalon/ip-filter.html). It can do firewalling, NPAT (many-to-one) and true NAT (one-to-one) dynamically and with static translations. Ipfilter really starts to be useful when you have a netblock of external IP's to play with. In that case you can do traditional static translations to conduit external requests to internal servers.
Any Linux box can provide DHCP services, and there can be other servers (web, ftp, etc) running on the box to provide services to external clients.
Neither of these approaches quite does what the WebRamp box can do. They can do part of the job, but not everything.
As to the multiple modem capability. Yes Linux can have multiple modems, and it can do some of the things the WebRamp box does. I suspect that it's not as easy to set up as the WebRamp and can't do quite as much. My reading of the docs implies that not only can it do multi-link PPP to an ISP that supports same. It can also do bandwidth on demand over separate links (multi-path in router terms). The box itself (or ppp in general) doesn't limit you to one IP address per modem. That is a function of what the ISP is willing to do. If they are willing to assign an IP netblock (and you are willing to pay for it) you can have as many IP's for local use as desired. The ppp link in this case becomes a network link rather than a remote mode.
Okay, time for questions...
ASKER
I read on another forum that samba and IP Masq can not run on the same computer. Is this true? I hope not.
I'm not sure what the following means.
>>They only provide a many-to-one address translation service, so you can't have the "visible computer" that the WebRamp box has as there isn't a mechanism for static IP translation.
Have you used IPfilter on redhat. They only mention bsd etc. on there webpage.
Can Linux support multilik PPP? How?
Bandwidth on demand?
What are the differences?
>It can do firewalling, NPAT (many-to-one) and true NAT (one-to-one) dynamically and with static translations.
The most interesting possiblility it the one of running a netblock over a PPP line. I have a lot of pull with my ISP and I have clients that would like PCAnywhere access to multiple computers via the internet and can only get analog service in there town.
The webramp supports only one ip per modem.
Also back to an earlier thought. Is there any time you know of where an entry in host name other than localmachine.localdomain is appropiate. I am bugged about this because of the following quote from "Linux for Dummies"
(no comments re the quality of my referance source)
"When the Network Configurator dialog box first appears, it doesn't contain any information other than localhost.localdomain in the hostname filed. Leave this information alone. because your ISP will probably not be supplying you with a permanent identyity for your system other than that your e-mail name and account on their server."
This implies to me that it should be changed under some circumstances.
I'm not sure what the following means.
>>They only provide a many-to-one address translation service, so you can't have the "visible computer" that the WebRamp box has as there isn't a mechanism for static IP translation.
Have you used IPfilter on redhat. They only mention bsd etc. on there webpage.
Can Linux support multilik PPP? How?
Bandwidth on demand?
What are the differences?
>It can do firewalling, NPAT (many-to-one) and true NAT (one-to-one) dynamically and with static translations.
The most interesting possiblility it the one of running a netblock over a PPP line. I have a lot of pull with my ISP and I have clients that would like PCAnywhere access to multiple computers via the internet and can only get analog service in there town.
The webramp supports only one ip per modem.
Also back to an earlier thought. Is there any time you know of where an entry in host name other than localmachine.localdomain is appropiate. I am bugged about this because of the following quote from "Linux for Dummies"
(no comments re the quality of my referance source)
"When the Network Configurator dialog box first appears, it doesn't contain any information other than localhost.localdomain in the hostname filed. Leave this information alone. because your ISP will probably not be supplying you with a permanent identyity for your system other than that your e-mail name and account on their server."
This implies to me that it should be changed under some circumstances.
In reverse order of the questions...
As to the localhost.localdomain question. "The Offical Red Hat Linux Reference Guide" (for RH 6.1, from RedHat) says on page 109:
The "Host name" tab will request a host name, which should be specified by default unless you did not setup your networking during the installation process. If it is not already specified, please take the time now to configure it. It should be specified at (ed, sp?) localhost.localdomain. Skip this tab. Select the tab for Adaptor 1."
I take that to mean that "Host name should always be localhost.localdomain.
Regarding netblocks. A netblock is the ideal way to do something like you have in mind. First you have more IP addresses to work with, which simplifies the process of providing services on multiple server boxes. Second all of the issues that can arise when doing NPAT are neatly side stepped. Internal hosts can have either static or dynamic address translation. This means that if an internal host needs to always get the same external IP it can be done (static translation). Other hosts can simply get any free IP address from a pool of external addresses (dynamic translation). When using dynamic translation you typically have more inside hosts than the pool size as not all will need an external IP at the same time. Ratios from 2:1 to 8:1 are fairly common, with a number of vendors recommending about 4:1 (four inside hosts for every external IP).
The ppp protocol is restricted to a single IP at each end of the link. This doesn't mean that a ppp connection can't be used to implement a netblock (or network) connection. Right now I've got a Cisco ISDN router that connects via ppp over ISDN to my network at work and links my local (Class C home LAN) to the work network. The ppp link does have to be a network unto itself, but it only has to have two usable IP's (a netblock of 4). The rest is just routing issues.
NPAT (many-to-one) means that many internal hosts will be translated to one external IP via port translation, hence the term "Network Port Address Translation". This is also referred to a PAT ("Port Address Translation"). NAT (one-to-one) means that any time an inside client needs to use the Internet the router/firewall will assign a unique external IP, either a static or dynamic (see above).
The rest will ave to wait for tomorrow...
As to the localhost.localdomain question. "The Offical Red Hat Linux Reference Guide" (for RH 6.1, from RedHat) says on page 109:
The "Host name" tab will request a host name, which should be specified by default unless you did not setup your networking during the installation process. If it is not already specified, please take the time now to configure it. It should be specified at (ed, sp?) localhost.localdomain. Skip this tab. Select the tab for Adaptor 1."
I take that to mean that "Host name should always be localhost.localdomain.
Regarding netblocks. A netblock is the ideal way to do something like you have in mind. First you have more IP addresses to work with, which simplifies the process of providing services on multiple server boxes. Second all of the issues that can arise when doing NPAT are neatly side stepped. Internal hosts can have either static or dynamic address translation. This means that if an internal host needs to always get the same external IP it can be done (static translation). Other hosts can simply get any free IP address from a pool of external addresses (dynamic translation). When using dynamic translation you typically have more inside hosts than the pool size as not all will need an external IP at the same time. Ratios from 2:1 to 8:1 are fairly common, with a number of vendors recommending about 4:1 (four inside hosts for every external IP).
The ppp protocol is restricted to a single IP at each end of the link. This doesn't mean that a ppp connection can't be used to implement a netblock (or network) connection. Right now I've got a Cisco ISDN router that connects via ppp over ISDN to my network at work and links my local (Class C home LAN) to the work network. The ppp link does have to be a network unto itself, but it only has to have two usable IP's (a netblock of 4). The rest is just routing issues.
NPAT (many-to-one) means that many internal hosts will be translated to one external IP via port translation, hence the term "Network Port Address Translation". This is also referred to a PAT ("Port Address Translation"). NAT (one-to-one) means that any time an inside client needs to use the Internet the router/firewall will assign a unique external IP, either a static or dynamic (see above).
The rest will ave to wait for tomorrow...
>> I read on another forum that samba and IP Masq can not run on the same computer. Is this true? I hope not.
NOT TRUE. I am running both on several machines.
NOT TRUE. I am running both on several machines.
ASKER
Am I right in guessing that the place to start is to:
1. Get a modem working with Linux
2. Get a Win 98 box to work throuth the Linux box with IPMask.
What about the mulimodem concept. Is mulitlink ppp available for example?
1. Get a modem working with Linux
2. Get a Win 98 box to work throuth the Linux box with IPMask.
What about the mulimodem concept. Is mulitlink ppp available for example?
You start from either the inside or the outside network, it really doesn't matter. Just make one side work right, then add the other. With what you've learned so far, there's probably a slight advantage to starting with the modem as that will be more of an unknown that setting up the inside network. Configuring IP Masq, isn't all that difficult for relatively simple environments.
There's quite a bit of good information about ppp (though a touch dated) in http://www.redhat.com/mirrors/LDP/HOWTO/PPP-HOWTO.html. And yes you can do multilink ppp, see http://linux-mp.terz.de/ for one way, there may be others.
There's quite a bit of good information about ppp (though a touch dated) in http://www.redhat.com/mirrors/LDP/HOWTO/PPP-HOWTO.html. And yes you can do multilink ppp, see http://linux-mp.terz.de/ for one way, there may be others.
ASKER
I have to run another phone line to the lab to test this stuff out. I'm concentrating on the samba stuff now and will get back to this one in a few days.Thanks
This question appears to have stalled out...
ASKER
Yes Sorry about that. I have to get another phone line to my lab to start testing this stuff.
Will be away this week but back in the saddle next week.
One problem I run into all the time, including today.
Client with a cable modem only one IP address is available from the cable company. I use 192.168.1.x/24 for the internal network.
They always want to be able to get to any specific machine from the outside with a remote controll product.
Is this possible? Maybe by forcing the remote control product to use port x for host 1, x+1 for host 2 etc. Have you ever done/thought about this sort of thing?
With the webramp and the visable computer I can pick one host to connect to but not more.
Will be away this week but back in the saddle next week.
One problem I run into all the time, including today.
Client with a cable modem only one IP address is available from the cable company. I use 192.168.1.x/24 for the internal network.
They always want to be able to get to any specific machine from the outside with a remote controll product.
Is this possible? Maybe by forcing the remote control product to use port x for host 1, x+1 for host 2 etc. Have you ever done/thought about this sort of thing?
With the webramp and the visable computer I can pick one host to connect to but not more.
That's a common problem with all NPAT implmentations, since it's doing a port forward to the inside IP. If you can set the ports that the service uses (on both ends of course) then, yes you should be able to port forward each of the sequential ports to unique inside machines.
ASKER
Something just came up again today. Some of our services DSL for example charge extra for ip addresses. For example if I have 50 hosts but only 5 need static ip addresses. For example one host needs pc anywhere access, one is a web server, and a couple share a database through IP. Is there a way I could use NPAT with 192.68.1.x addresses for all 50 hosts then associate the 4 extra routable addresses with a 192.168.1.x address at the router side. Sort of a one-to-one mapping. This way each host would have a local 192 address and 4 hosts would also have an externaly available real address and we only have to pay for 5.
Not with ipchains, it can only do NPAT. Unfortunately it won't work on anything but a 2.0.x Linux kernel, but ipfilters can do real NAT (& firewalling) of all persuasions (many-to-one, many-to-a-pool, and one-to). You can mix'n'match the NAT forms in the same box. It works fine under FreeBSD and Solaris x86 and makes a dynamite gateway. The homepage for is: http://cheops.anu.edu.au/~avalon/ip-filter.html
ASKER
I'll take another look at that one. You mentioned it early on but I missed it somehow.
ASKER
I'm a little afraid of it because I have never used freebsd only linux.
ASKER
Are there any similer projects in linux?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm not going to be able to get to this project due to other more pressing learning requirments. Your insites were excellent thankyou. When I get back to this subject I'm sure I'll need more help to acutally make it work.
Okay...
ASKER
I know IP chains can do this but what about the other featurs
modem 2 and 3
visable computer
application server
One significant limitation to this box is the limit of one ip address per modem.
Is this a limitation of this box only or could I with linux have a single dial-up connection and connect serveral windows clients behind the linux box with real internet address and not use NAT.